Guarding against the digital storm: Cybersecurity in Bermuda insurance

The 2024 Bermuda Cyber Risk Management Report, published by the Bermuda Monetary Authority (BMA), evaluates the state of operational cyber risk management across the insurance sector. The report focuses on commercial insurers, insurance managers as well as agents and brokers. It highlights steady improvements, with 98% of such entities having board-approved cyber risk policies and 97% regularly communicating programme updates to senior management and boards. These practices align with the requirements outlined in the BMA’s Operational Cyber Risk Management Code of Conduct (Code), which emphasizes proportionality, robust governance, and tailored controls based on the entity’s scale and complexity. However, several critical areas require attention.

Classifying data is a requirement of the Code. Data should be classified and protected in a manner commensurate with its sensitivity, value and criticality. Despite BMA guidance, data classification remains a challenge, with only 75% of entities completing this process, falling short of regulatory expectations. Third-party risk management is another area of concern, with only 87% of entities having conducted risk assessments in 2023. Third-party service providers must be subjected to third-party risk reviews by the entity. Oversight of outsourced functions and inclusion of comprehensive contractual clauses with service providers require further strengthening.

Entities show mixed performance in critical areas such as Data Loss Prevention (DLP) controls, encryption practices, and annual testing of business continuity and disaster recovery plans. DLP controls are implemented by 84% of entities, while compliance with disaster recovery testing dropped to 85%. Network security controls, including regular vulnerability scanning and penetration testing, remain inconsistent, underscoring the need for a more rigorous approach. Any new internet-facing service should be subject to a penetration test before going into production.

Phishing attacks and weak authentication practices are identified as major risks. The report emphasizes the importance of adopting controls like Two-Factor Authentication, Secure Software Development Frameworks, and robust supply chain security for third-party services. The Code also mandates that significant cyber reporting events - those with the potential to disrupt business operations or compromise sensitive data - be reported to the BMA within 72 hours of determination or confirmation. Entities must submit a detailed incident report within 14 days, covering the root cause, actions taken, and impact assessment. Where the root cause is not initially known, interim reports must be provided, followed by a final report upon investigation completion. The BMA treats these incidents with strict confidentiality and uses the data to refine the risk profiles of registrants and the broader sector.

The report acknowledges that there have been improvements but stresses the need for stronger governance, third-party risk oversight, and proactive measures to mitigate emerging cyber threats. It confirms the BMA’s commitment to continued monitoring, enforcing compliance with the Code, and enhancing reporting processes to support the sector in maintaining resilience against cyber risks.